Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Signature bypass via multiple root elements in node-SAML
Vulnerability Description
node SAML is a SAML 2.0 library based on the SAML implementation of passport-saml. A remote attacker may be able to bypass SAML authentication on a website using passport-saml. A successful attack requires that the attacker is in possession of an arbitrary IDP signed XML element. Depending on the IDP used, fully unauthenticated attacks (e.g without access to a valid user) might also be feasible if generation of a signed message can be triggered. Users should upgrade to node-saml version 4.0.0-beta5 or newer. Disabling SAML authentication may be done as a workaround.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Vulnerability Type
密码学签名的验证不恰当
Vulnerability Title
node-saml 数据伪造问题漏洞
Vulnerability Description
node-saml是一个 SAML 库,不依赖于在 Node.js 中运行的任何框架。 node-saml 4.0.0-beta.5之前版本存在数据伪造问题漏洞,攻击者利用该漏洞可以使用 passport-saml 绕过网站上的 SAML 身份验证。
CVSS Information
N/A
Vulnerability Type
N/A